From fe1f9475409f252b6ca2dccc71187868e168c74b Mon Sep 17 00:00:00 2001 From: John Thacker Date: Thu, 26 Nov 2020 01:10:34 -0500 Subject: [PATCH] macOS: Enable PKCS #11 support when building with macos-setup.sh Enable PKCS #11 support in macOS builds with macos-setup.sh (already supported on macOS via Homebrew and on all other OSes with GnuTLS 3.4 or greater) by installing p11-kit (and its dependency libtasn1) and building nettle and GnuTLS against it. --- CMakeLists.txt | 8 +-- tools/macos-setup.sh | 127 ++++++++++++++++++++++++++++++++++++++++++- 2 files changed, 129 insertions(+), 6 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5893baa28b..89d50309da 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -1236,11 +1236,11 @@ add_custom_target(dist ) if(GNUTLS_FOUND AND NOT GNUTLS_VERSION VERSION_LESS "3.4.0") - # While all Linux and Windows builds have PKCS #11 support enabled, - # macos-setup.sh explicitly disables it using --without-p11-kit. + # Calculating public keys from PKCS #11 private keys requires GnuTLS + # 3.4.0 or greater. # - # Require at least GnuTLS 3.4.0 such that public keys can be calculated - # from PKCS #11 private keys. + # Check that the support is present in case GnuTLS was compiled + # --without-p11-kit as macos-setup.sh did until recently. include(CheckSymbolExists) cmake_push_check_state() if(WIN32) diff --git a/tools/macos-setup.sh b/tools/macos-setup.sh index 9493622c30..937cf6d76f 100755 --- a/tools/macos-setup.sh +++ b/tools/macos-setup.sh @@ -150,6 +150,13 @@ if [ "$GNUTLS_VERSION" ]; then # And, in turn, Nettle requires GMP. # GMP_VERSION=6.2.1 + + # + # And p11-kit + P11KIT_VERSION=0.23.21 + + # Which requires libtasn1 + LIBTASN1_VERSION=4.16.0 fi # Use 5.2.4, not 5.3, for now; lua_bitop.c hasn't been ported to 5.3 # yet, and we need to check for compatibility issues (we'd want Lua @@ -1120,6 +1127,90 @@ uninstall_gmp() { fi } +install_libtasn1() { + if [ "$LIBTASN1_VERSION" -a ! -f libtasn1-$LIBTASN1_VERSION-done ] ; then + echo "Downloading, building, and installing libtasn1:" + [ -f libtasn1-$LIBTASN1_VERSION.tar.gz ] || curl -L -O https://ftpmirror.gnu.org/libtasn1/libtasn1-$LIBTASN1_VERSION.tar.gz || exit 1 + $no_build && echo "Skipping installation" && return + gzcat libtasn1-$LIBTASN1_VERSION.tar.gz | tar xf - || exit 1 + cd libtasn1-$LIBTASN1_VERSION + CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure || exit 1 + make $MAKE_BUILD_OPTS || exit 1 + $DO_MAKE_INSTALL || exit 1 + cd .. + touch libtasn1-$LIBTASN1_VERSION-done + fi +} + +uninstall_libtasn1() { + if [ ! -z "$installed_libtasn1_version" ] ; then + # + # p11-kit depends on this, so uninstall it. + # + uninstall_p11_kit "$@" + + echo "Uninstalling libtasn1:" + cd nettle-$installed_libtasn1_version + $DO_MAKE_UNINSTALL || exit 1 + make distclean || exit 1 + cd .. + rm libtasn1-$installed_libtasn1_version-done + + if [ "$#" -eq 1 -a "$1" = "-r" ] ; then + # + # Get rid of the previously downloaded and unpacked version. + # + rm -rf libtasn1-$installed_libtasn1_version + rm -rf libtasn1-$installed_libtasn1_version.tar.gz + fi + + installed_libtasn1_version="" + fi +} + +install_p11_kit() { + if [ "$P11KIT_VERSION" -a ! -f p11-kit-$P11KIT_VERSION-done ] ; then + echo "Downloading, building, and installing p11-kit:" + [ -f p11-kit-$P11KIT_VERSION.tar.xz ] || curl -L -O https://github.com/p11-glue/p11-kit/releases/download/$P11KIT_VERSION/p11-kit-$P11KIT_VERSION.tar.xz || exit 1 + $no_build && echo "Skipping installation" && return + xzcat p11-kit-$P11KIT_VERSION.tar.xz | tar xf - || exit 1 + cd p11-kit-$P11KIT_VERSION + # Same hack for libffi missing pkg-config files as GLib + includedir=`xcrun --show-sdk-path 2>/dev/null`/usr/include + LIBFFI_CFLAGS="-I $includedir/ffi" LIBFFI_LIBS="-lffi" CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure --without-trust-paths || exit 1 + make $MAKE_BUILD_OPTS || exit 1 + $DO_MAKE_INSTALL || exit 1 + cd .. + touch p11-kit-$P11KIT_VERSION-done + fi +} + +uninstall_p11_kit() { + if [ ! -z "$installed_p11_kit_version" ] ; then + # + # Nettle depends on this, so uninstall it. + # + uninstall_nettle "$@" + + echo "Uninstalling p11-kit:" + cd p11-kit-$installed_p11_kit_version + $DO_MAKE_UNINSTALL || exit 1 + make distclean || exit 1 + cd .. + rm p11-kit-$installed_p11_kit_version-done + + if [ "$#" -eq 1 -a "$1" = "-r" ] ; then + # + # Get rid of the previously downloaded and unpacked version. + # + rm -rf p11-kit-$installed_p11_kit_version + rm -rf p11-kit-$installed_p11_kit_version.tar.xz + fi + + installed_p11_kit_version="" + fi +} + install_nettle() { if [ "$NETTLE_VERSION" -a ! -f nettle-$NETTLE_VERSION-done ] ; then echo "Downloading, building, and installing Nettle:" @@ -1127,7 +1218,7 @@ install_nettle() { $no_build && echo "Skipping installation" && return gzcat nettle-$NETTLE_VERSION.tar.gz | tar xf - || exit 1 cd nettle-$NETTLE_VERSION - CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure --with-libgcrypt --without-p11-kit || exit 1 + CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure || exit 1 make $MAKE_BUILD_OPTS || exit 1 $DO_MAKE_INSTALL || exit 1 cd .. @@ -1188,7 +1279,7 @@ install_gnutls() { bzcat gnutls-$GNUTLS_VERSION.tar.bz2 | tar xf - || exit 1 fi cd gnutls-$GNUTLS_VERSION - CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure --with-included-libtasn1 --with-included-unistring --without-p11-kit --disable-guile || exit 1 + CFLAGS="$CFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" CXXFLAGS="$CXXFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" LDFLAGS="$LDFLAGS $VERSION_MIN_FLAGS $SDKFLAGS" ./configure --with-included-unistring --disable-guile || exit 1 make $MAKE_BUILD_OPTS || exit 1 $DO_MAKE_INSTALL || exit 1 cd .. @@ -2249,6 +2340,28 @@ install_all() { uninstall_gmp -r fi + if [ ! -z "$installed_p11_kit_version" -a \ + "$installed_p11_kit_version" != "$P11KIT_VERSION" ] ; then + echo "Installed p11-kit version is $installed_p11_kit_version" + if [ -z "$P11KIT_VERSION" ] ; then + echo "p11-kit is not requested" + else + echo "Requested p11-kit version is $P11KIT_VERSION" + fi + uninstall_p11_kit -r + fi + + if [ ! -z "$installed_libtasn1_version" -a \ + "$installed_libtasn1_version" != "$LIBTASN1_VERSION" ] ; then + echo "Installed libtasn1 version is $installed_libtasn1_version" + if [ -z "$LIBTASN1_VERSION" ] ; then + echo "libtasn1 is not requested" + else + echo "Requested libtasn1 version is $LIBTASN1_VERSION" + fi + uninstall_libtasn1 -r + fi + if [ ! -z "$installed_libgcrypt_version" -a \ "$installed_libgcrypt_version" != "$LIBGCRYPT_VERSION" ] ; then echo "Installed libgcrypt version is $installed_libgcrypt_version" @@ -2551,6 +2664,10 @@ install_all() { install_gmp + install_libtasn1 + + install_p11_kit + install_nettle install_gnutls @@ -2654,6 +2771,10 @@ uninstall_all() { uninstall_nettle + uninstall_p11_kit + + uninstall_libtasn1 + uninstall_gmp uninstall_libgcrypt @@ -2814,6 +2935,8 @@ then installed_libgpg_error_version=`ls libgpg-error-*-done 2>/dev/null | sed 's/libgpg-error-\(.*\)-done/\1/'` installed_libgcrypt_version=`ls libgcrypt-*-done 2>/dev/null | sed 's/libgcrypt-\(.*\)-done/\1/'` installed_gmp_version=`ls gmp-*-done 2>/dev/null | sed 's/gmp-\(.*\)-done/\1/'` + installed_libtasn1_version=`ls libtasn1-*-done 2>/dev/null | sed 's/libtasn1-\(.*\)-done/\1/'` + installed_p11_kit_version=`ls p11-kit-*-done 2>/dev/null | sed 's/p11-kit-\(.*\)-done/\1/'` installed_nettle_version=`ls nettle-*-done 2>/dev/null | sed 's/nettle-\(.*\)-done/\1/'` installed_gnutls_version=`ls gnutls-*-done 2>/dev/null | sed 's/gnutls-\(.*\)-done/\1/'` installed_lua_version=`ls lua-*-done 2>/dev/null | sed 's/lua-\(.*\)-done/\1/'`